Monthly Release Notes - November 2019

Jump to:

Core Security


Core Impact

Version: 19.1.4

Nov 30, 2019

Enhancements
  • Linux Kernel libfutex Privilege Escalation Exploit Update: This module has improvements for the Linux Kernel libfutex exploit. (CVE-2014-3153)

  • Apache Solr Velocity Template Remote OS Command Injection Exploit Update: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. This update adds automatic core name detection and newer supported versions. (NOCVE-9999-127120)

  • Microsoft Windows Remote Desktop Protocol BlueKeep Use After Free Exploit Update 2: This update adds support for Windows 7 SP1 x64. (CVE-2019-0708)

  • New Exploits:
    • Kibana Timelion Visualizer Remote Javascript OS Command Injection Exploit: An arbitrary code execution vulnerability in the Kibana Timelion visualizer allows an attacker with access to the application to send a request that will attempt to execute javascript code with permissions of the Kibana process on the host system. (CVE-2019-7609)

    • Apache Solr Velocity Template Remote OS Command Injection Exploit: A vulnerability in the Apache Solr Velocity template allows unauthenticated attackers to execute arbitrary OS commands. (NOCVE-9999-127120)

    • SolarWinds Dameware Mini Remote Control Unauthenticated RCE Exploit: The Solarwinds Dameware Mini Remote Client agent supports smart card authentication by default which allows a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable. (CVE-2019-3980)

    • rConfig ajaxServerSettingsChk and search_crud Remote OS Command Injection Exploit: An unauthenticated OS command injection vulnerability in rConfig using the rootUname parameter present in ajaxServerSettingsChk.php allows an attacker to send a request that will attempt to execute OS commands with permissions of the rConfig process on the host system. Also, an authenticated OS command injection vulnerability using the catCommand parameter present in search.crud.php allows an attackers to do the same as previous, but credentials are required. (CVE-2019-16662)

    • AVEVA InduSoft Web Studio Remote Command Injection Exploit: Unauthenticated remote command injection vulnerability in Indusoft Web Studio 8.1 SP2. The vulnerability is exercised via the custom remote agent protocol that is typically found on port 1234 or 51234. An attacker can issue a specially crafted command 66 which causes IWS to load a DB connection file off of a network share using SMB. The DB file can contain OS commands that will be executed at the privilege level used by IWS. (CVE-2019-6545)

    • WECON LeviStudioU SMtext Buffer Overflow Exploit: The specific flaw exists within the handling of XML files. When parsing the ShortMessage SMtext element, the process does not properly validate the length of user-supplied data prior to copying it to a buffer. (NOCVE-9999-127119)

    • Apache Solr ENABLE_REMOTE_JMX_OPTS JMX-RMI Remote Code Execution Exploit: Apache Solr is prone to a remote vulnerability that allows attackers to take advantage of an insecure deployment of the JMX/RMI service used to manage and monitor the Java Virtual Machine. By exploiting known methods, it is possible to remotely load an MLet file from an attacker controlled web server that points at a jar file. (CVE-2019-12409)

Core Network Insight

Version: 6.4.2
Enhancements
  • SIEM events can be forwarded now using both TCP and UDP protocols via Syslog. (CAS-0010168588)

  • Performance improvements on servicenow tickets integration.

  • New notification to update servicenow synchronization status through the user interface.

  • Logon failures are now audited. (CAS-0010166873)

  • Support for VXLAN packet analysis.

  • Lists now support the possibility to display more than 100 records at a time. I.e.: assets, files, threats, etc.

Other Fixes
  • Improvements on diagnostics data reliability. ([CAS-0010170402)

  • Improvements on data forensics to improve support diagnostics performance. postgresql logs added.

  • Other under the hood improvements, bug fixes and performance improvements to make the product experience even more smoother.

Back to Top

 

Document Management (RJS)


iForms

Version: 2.8.1
Enhancements
  • Pre-installed Java prerequisite is no longer required for Windows installations and is included in the installer

  • Java 8 is now the default startup configuration on IBM i

  • Added support for DataMatrix barcodes within report designer templates

Other Fixes
  • Fixed an issue with using RDX files for checkin to WebDocs Windows which did not include keys 11 through 30 values

  • Fixed an issue preventing use of https URLs for WebDocs Windows servers

iForms Designer

Version: 2.0.6
Enhancements
  • Added support for DataMatrix barcodes within report designer templates
Other Fixes
  • Pre-installed Java prerequisite is no longer required and is included in the installer

Back to Top

 

GoAnywhere


Version 6.3.0
Applicability Statement 3 (AS3)
  • Added support for the Applicability Statement 3 (AS3) file transfer protocol. The AS3 tasks work with the existing GoAnywhere FTP/S server as the message transport mechanism.
    • Added a new AS3 Resource for defining partner information, such as IDs, authentication, certificates, etc…
    • Added a new Create AS3 Message File task for generating messages to be sent to a trading partner.
    • Added a new Process AS3 Message task for processing messages received from a trading partner.
    • Added a new Create AS3 MDN task used to generate the Message Disposition Notifications, or receipts, to be sent back to the trading partner after a message is received.
    • Added a new AS3 Message Integrity Check task that generates the message digest for nonrepudiation checks.
EDI X12 and EDIFACT Data Translations
  • Added the ability to edit EDI X12 and EDIFACT Transaction Set definitions.
  • Added support for Network Share files in the Read EDI X12 and Read EDIFACT tasks.
  • Updated references of 'X12' to 'EDI X12' in the Read and Write EDI X12 tasks.
  • Removed the invalid 'Add Segment' option from group menus in the Write EDI X12 and Write EDIFACT tasks.
User Authentication
  • Added support for multiple SAML IDP configurations that are now defined per HTTP/S listener. Each HTTP/S listener can have a unique SAML IDP configured for handling authentication of users that access that endpoint.
  • Added a new login routing policy that can be used to dynamically determine how admin and web users authenticate based on their user name.
  • Added the ability for Admin Users to authenticate using digital X.509 certificates.
Language Support
  • Added support for the Dutch language in the Admin Client and Web Client.
  • Added support for the Italian language in the Admin Client and Web Client.
  • Added missing translated messages when configuring an Admin User Group.
  • Enhanced German translations for the Admin Client.
Other Enhancements
  • Added new global SSL/TLS security configuration options to enforce client and server certificate validation.
    • Added a new verification check for X.509 CA certificate Basic Constraints.
    • Added support for Certificate Revocation Lists (CRLs) verification for all SSL/TLS connections.
    • Implemented new certificate extended key usage validation for server authentication, client authentication, and email encryption and signature certificates.
    • Added a date validity check to ensure certificates are valid and not expired.
    • Added user name and email SAN/DN validation for Admin Users and Web Users that authenticate using digital X.509 certificates.
  • Added a Software Identification (SWID) tag.
  • Added the ability to specify a custom configuration directory during installation on Windows, Linux, and Unix operating systems.
  • Added support for encrypting the shared secret password in the gateway.xml configuration file.
  • Added support for encrypted key store passwords in the server.xml of the embedded Tomcat webserver.
  • Added the ability to define the encryption sub key algorithm and size for PGP keys.
  • Enhanced clustering communication to use stronger encryption.
  • Enhanced clustering communication to use external source for authentication tokens.
  • Added the ability to run upgrades using a signed executable (exe) upgrade file for Windows installations.
Other Updates and Fixes
  • Upgraded Apache Tomcat from version 7.0.94 to 7.0.96.
  • Updated JSTL libraries from version 1.2.0 to 1.2.3.
  • Updated the AWS S3 libraries from version 1.11.14 to version 1.11.631.
  • Upgraded the Netty library from version 4.1.33 to 4.1.42.
  • Upgraded Jackson Databind, Core, and Annotations libraries from version 2.9.9 to 2.10.1.
  • Upgraded PostgreSQL JDBC library from version 9.4.1212 to version 42.2.7.
  • Upgraded the Apache HTTP Client libraries from versions 4.5.2 to version 4.5.3.
  • Upgraded the Apache POI Excel libraries from version 3.17 to version 4.1.1.
  • Upgraded Apache Commons File Upload library from version 1.3.3 to 1.4.
  • Upgraded the embedded Apache Derby database from version 10.12.1.1 to version 10.14.2.0.
  • Upgraded the UnboundID LDAP SDK from version 4.0.5 to 4.0.11.
  • Removed the dom4j XML parsing library as it was no longer needed.
  • Fixed a potential cross-site scripting issue on the Compose page for Secure Mail.
  • Fixed an issue where preferred algorithms weren't listing correctly when adding a PGP key pair in KMS.
  • Fixed an issue where the version number in the Write EDI X12 task was being written improperly.
  • Fixed an issue when using AddWebUserIP or RemoveWebUserIP GACMD commands would inadvertently remove web groups from the web user.
  • Fixed an issue with REST APIs where an invalidated session ID was being returned to client.
  • Fixed an issue where the same Project or Trigger SLA can fail when processing at the same time in certain situations.
  • Fixed an issue with formatting of the 'Last Updated' label on the System Resources tab.
Version 6.2.4
  • Enhanced Cloud Connector ForEachFilePartLoop task to work within existing loop structures.
  • Fixed an issue that would prevent Admin Users from resetting their password when it had expired. This issue was introduced in version 6.2.0.

Back to Top

 

Powertech


BoKS Reporting Services

Version 7.2.0.1
  • CAS-0010172880 - Performance improvements when importing the BoKS database.

  • Upgrade of dependencies that resolves the vulnerabilities CVE-2018-1000632, CVE-2018-15756, CVE-2019-3795.

  • The Host Group Members report now shows the actual members for a host group instead of the hosts matching the member expression.

  • If you have not installed BRS before, see the installation instructions in the BoKS Reporting Services 7.2 Administrator’s Guide. If you have already installed BRS 7.2, you can upgrade BRS 7.2 to 7.2.0.1 using the ‘rpm -U brs-7.2.0-1.noarch.rpm’ command. Note that you need to reapply any customizations you have made to the BRS user interface after upgrading.

Back to Top

 

Robot


Robot Alert

Version 6.01
  • Includes RBTSYSLIB 2.02.
  • Removed invalid message on failed conversions.
  • Alert now correctly shows up in Robot Network and other Robot product GUIs.
Version 6.00
  • Robot Alert can now be installed to run in an iASP.
  • Now compatible with Office 365.

Robot System Library

Version 2.02
  • RBTSYSLIB can now be installed or updated without any additional Robot products.

  • RBTSLEEPER can now be active during RBTSYSLIB updates.
  • 100% backward compatibility with Robot products.

Back to Top